Friends, Romans, contractors, lend me your ears;
I come to disclose your owners, not to debar them.
The FOCI that contractors do is oft assessed;
The clearances are oft interred with their bones.
So let it be with allies. The honorable rule
Hath told you that we treat all foreigners alike;
If it be so, it is a grievous form,
And grievously hath the SF-328 answered it.

The speech may be a little ridiculous, but in its way, it’s also a little accurate. The proposed DFARS rule implementing Section 847 of the FY 2020 NDAA is not unkind to allies. It is, as was Mark Antony, scrupulously polite to them, right up to the moment it asks them to register as suspects.

The Rule, in One Paragraph

On May 7, 2026, the Department of Defense[1] (DoD) published a proposed rule (DFARS Case 2021-D011) implementing Section 847 of the FY 2020 NDAA and Section 819 of the FY 2021 NDAA. The rule would create new DFARS Part 240 and require covered prime contractors and subcontractors on DoD contracts above $5 million, subject to the rule’s commercial-products and commercial-services exception, to submit an SF-328 and supporting beneficial-ownership documentation through the Defense Counterintelligence and Security Agency’s (DCSA) National Industrial Security System (NISS); maintain an “eligible” NISS status as a precondition to award, option exercise, and modification; implement directed FOCI mitigation within 90 calendar days where risk is identified; update disclosures on 3- and 10-business-day clocks when ownership changes; and flow the clause down to subcontractors at any tier. DoD estimates 37,740 affected entities. Comments are due July 6, 2026.

Shakespeare’s Caesar was warned. He heard the warning. He sorted it into the wrong pile, and the same could be happening now with Section 847.

The Visibility State

The classified FOCI regime, administered by DCSA under the decades-old NISPOM, was built around an event: a Facility Security Clearance. A company disclosed its foreign ownership, DCSA assessed it, the parties negotiated an instrument (Board Resolution, Security Control Agreement, Special Security Agreement, Proxy Agreement), and the company proceeded. The trust determination was anchored to the clearance.

Section 847 dispenses with the facility clearance anchor. FOCI eligibility attaches to the contract itself, every covered contract, at award and at every option exercise, modification, and post-award identification of risk. The 90-day mitigation clock resets each time. The SF-328 and supporting documents must be completed, updated, and verified as current before contract modification or renewal, or when previously provided information changes.

As a result, this isn’t FOCI mitigation as known and understood—it’s continuous trust monitoring. The federal government is no longer asking, at a single event, whether you are a threat. It is asking, on a rolling basis, whether you remain eligible. Now it’s the mechanism, not the answer, that is the point.

This is the architectural move the federal government has made elsewhere over the past decade. CMMC turned cybersecurity from a representation into a perishable certification. And as we covered in FAR 52.222-90 Goes Global, the 52.222-90 regime turned antidiscrimination compliance into a contract-administration mechanism with FCA materiality teeth. Section 847 is the same move in a different domain, where the contractor is no longer vetted. It is watched.

Country-Agnostic In, Country-Specific Out

Notably, the disclosure regime is country-agnostic. The mitigation regime is country-specific. And the cost of the gap is paid by allies. The DFARS clause asks every covered offeror to submit an SF-328 through NISS. The form is identical whether the beneficial owner is in Toronto, Tel Aviv, Stockholm, Lyon, London, or Shanghai. DCSA reviews the submission and determines whether FOCI exists and what mitigation, if any, is required. This means that a Canadian parent and PRC parent both go in the same door and both are now visible, in operational detail, to a federal counterintelligence apparatus that did not previously have routine windows into uncleared commercial entities.

The national-security argument behind this demand for visibility is the perceived influence through ally-country intermediaries. The operational point: The rule imposes a recurring cost on suppliers from allied countries, which must build disclosure infrastructure functionally identical to what an adversary-country supplier would build, even though their mitigation outcomes will differ enormously. The friction bites hardest on three kinds of contractor.

  1. Federal Newcomer. This is a company that has never held a Facility Security Clearance, never registered in NISS, and never thought about beneficial ownership as a federal concept. It now has to do all three before bidding on its first $5 million-plus subcontract. These companies arrive at the federal threshold with foreign founders, foreign engineering teams, and foreign data-residency arrangements that work perfectly well commercially but read like a target list on an SF-328. Cleaning it up is corporate-structural work, and it takes months.
  2. Long-Tenured Ally-Country Subcontractor. The Canadian/British/French/TBD aerospace supplier may have been performing on federal contracts for decades without ever encountering FOCI, because the work was unclassified—but now that’s changed. They’ll be drawn into a regime for which they have no muscle memory, on contracts they have performed for years. The first SF-328 cycle will be unpleasant, not because the disclosures are damaging but because the supporting documentation does not yet exist in any organized form.
  3. Prime’s Uncleared Subsidiary. A foreign defense prime with a cleared US subsidiary operating under a Special Security Agreement (SSA) has the most institutional FOCI sophistication and, likely, the largest blind spot. The SSA covers the cleared work. The new rule reaches the unclassified work, the IT support task order, the logistics contract, and the engineering studies, that the SSA does not. Aligning the two regimes inside one corporate family means redrawing internal walls originally drawn for different problems.

The Mitigation Toolkit Was Built for a Different Problem

The proposed rule is silent on what unclassified-context FOCI mitigation will actually look like. However, the toolkit DCSA brings to uncleared mitigation will be the same one it uses for cleared mitigation, because that is the only toolkit it has. That includes Board Resolutions (lightest), Security Control Agreements, Special Security Agreements, Proxy Agreements, and Voting Trusts (heaviest), plus operational measures like independent US-citizen directors, visitation logs, communications restrictions, technology control plans, and US-persons-only access controls. These instruments were originally designed to insulate classified information from foreign influence. They are blunt, expensive, and culturally disorienting for a company whose entire reason for being is integration with its foreign parent.

For a case in point, when applied to an unclassified context—say, a $7 million IT support subcontract for a system processing nothing more sensitive than facility maintenance data—these instruments will often be wildly disproportionate. DCSA appears to recognize this, and the proposed rule hints at “alternative” mitigation approaches for less sensitive cases without any clarity as to just what those might be. This means that contractors should be ready to advocate for a tiered toolkit that reserves SSAs and Proxy Agreements for sensitive unclassified work (CMMC Level 2, national-security systems, mission-critical IT) and develops lighter-weight instruments for everything else.

The M&A Angle: Three Questions That Just Got Harder

We noted in FAR 52.222-90 Goes Global that three diligence questions belong in every deal touching a target with federal contracts and international operations. Section 847 adds a parallel set, and they bite earlier in the deal timeline. For private equity (PE) sponsors, family offices, sovereign wealth participants, and strategic acquirers with any foreign limited partner (LP) base, the FOCI overlay on a federal-contractor target is no longer a post-close integration item. It is a sign-and-close item, and in some cases a go/no-go stoplight.

  1. Does the target have an “eligible” NISS status, and if not, how long will it take to get one?
    • Having a target with no NISS footprint is not a deal-breaker, but it could be a timing problem. Contracting officers cannot award, modify, or exercise an option on a covered contract without an eligible NISS status on file. If the target’s backlog includes upcoming option exercises or modifications, those become contingent on a NISS process the target has not started. Bake NISS-readiness milestones into purchase agreements and discount valuation for the option exercises most exposed to FOCI delay.
  2. Does the deal itself trigger a Section 847 notice obligation, and if so, on what clock?
    • The proposed clause requires contractors to update SF-328 disclosures whenever underlying ownership facts change, with 3- and 10-business-day deadlines for changes that may place the contractor (or any covered subcontractor) under FOCI. A change-of-control transaction is precisely such a change. A sale to a PE sponsor with foreign LPs, a recapitalization adding a sovereign wealth co-investor, a strategic acquisition by a foreign-owned US subsidiary, or even a minority investment crossing certain ownership thresholds may trigger a reporting clock that runs from closing, not from any new contract. CFIUS is a transaction-based notice regime. Section 847 adds a performance-based one on top, and it does not stop running after closing.
  3. Will the post-close ownership structure require FOCI mitigation, and if so, what does that do to the deal’s economics?
    • This is where deals get repriced or restructured. If DCSA determines the new ownership introduces FOCI risk, the target will have 90 calendar days from the next triggering contract action to implement mitigation. Worst case scenario, that could include a Special Security Agreement, an independent board, US-persons-only operational controls, or even a Proxy Agreement—measures that fundamentally constrain the sponsor’s ability to operate the asset. Run a FOCI screen at LOI, not at integration. Finding this out at signing costs meaningfully less than at the first post-close option exercise.

A structural point for sponsors: The “foreign LP problem” in defense PE has been a CFIUS problem and an FCL problem. It is now also a Section 847 problem, and Section 847 reaches deeper than either. CFIUS covers the transaction. The FCL covers a subset of the work. Section 847 covers every covered contract, every option exercise, every modification, and every change in ownership facts, for the life of the holding. The CFIUS-clearance closing condition is well drafted across the market. The Section 847 equivalent is not. Representations on NISS status, beneficial-ownership accuracy, and the absence of unmitigated FOCI determinations belong in purchase agreements for federal-contractor targets above the $5 million threshold. This being new, don’t expect that representations and warranties insurers have settled on how to price this exposure, and treatment may vary widely from policy to policy. Sponsors (and counsel) should expect to negotiate FOCI-specific carve-outs, exclusions, or sub-limits, and that landscape will likely evolve as the rule moves toward being final.

What to Do Now

“Therefore, good Brutus, be prepared to hear and since you know you cannot see yourself so well as by reflection, I, your glass, will modestly discover to yourself that of yourself which you yet know not of.” Map your own beneficial ownership before DCSA does it for you. Most companies discover during their first SF-328 cycle that they cannot identify every 5 percent beneficial owner with documentary support. The records problem takes months. Walk every chain of ownership to a natural person or a publicly traded float.

“The fault, dear Brutus, is not in our stars but in ourselves, that we are underlings.” Treat your corporate structure as a national-security artifact. The day you accept a foreign-owned company onto a federal contract above $5 million, your governance documents, IT architecture, data flows, and supplier relationships become subject to FOCI review. The redesign is cheaper before you have a contract obligation than after.

“There is a tide in the affairs of men which, taken at the flood, leads on to fortune; omitted, all the voyage of their life is bound in shallows and in miseries.” Get into NISS now. The proposed rule expects offerors to have an “eligible” status before award, which means the back-office work has to happen in advance of the bid. DCSA has been staffing up for 41,000 annual reviews, but no one should assume the queue will be short.

“Speak, hands, for me.” If this is aimed at you, comment on DFARS Case 2021-D011 ASAP. Allied foreign-owned contractors have a stronger argument than they realize: The rule’s purpose is well served by visibility but poorly served by reflexive application of classified-context mitigation tools to unclassified-context risks. Be specific. Propose tiered alternatives. Again, the window closes July 6, 2026.

“Beware the Ides.” For primes, plan for the flowdown shockwave. Sophisticated primes will start asking subs for SF-328 information and NISS eligibility as a condition of subcontract award well before the final rule lands.

The Curtain

Section 847 isn’t a hostile act against allied foreign-owned contractors. It’s a supply chain visibility effort. The cost, however, is paid in friction, in disclosure infrastructure, and in some corporate-structural redesign work. But the friction is real. The visibility state does not distinguish, at the front door, between friend and adversary. It distinguishes at the back door, in the mitigation room, and only after you have made yourself eligible. That asymmetry is the design. The contractors that understand it, and the sponsors that underwrite them, will spend the next 12 months building the structures and updating the diligence playbooks that let them walk through the front door without flinching. The ones that treat Section 847 as a forms exercise will find themselves explaining their cap table to DCSA mid-performance, with a 90-day clock running and an option exercise dangling. Mark Antony was working with funeral oratory, which is quite different from proposed rules. But the rhetorical trick is the same. The rule says it treats all foreigners alike. It does—at the disclosure door. After that, you are on your own, and the honorable agency has the floor.

[1] “Department of Defense” is used here consistent with 10 U.S.C. § 111 et seq.